azeem via FreeIPA-users wrote:

Hi Rob,

Thanks for you reply. FreeIPA, version: 4.2.0 - Centos 7 And yes are right. Here's the list of all the certifficates :-

getcert list Number of certificates and requests being tracked: 8. Request ID '20160825909273': status: CA_UNREACHABLE ca-error: Server at https://test.domain.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://test.domain.com:443/ca/eeca/ca/profileSubmitSSLClient': (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TEST-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TEST-DOMAINCOM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TEST-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=test.domain.com,O=TEST-DOMAIN-COM expires: 2023-12-18 15:52:08 UTC principal name: ldap/test.domain.com(a)TEST.DOMAIN.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv TEST.DOMAIN.COM track: yes auto-renew: yes Request ID '20160825202951': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=CA Audit,O=TEST.DOMAIN.COM expires: 2023-06-29 10:17:49 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20160825202952': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=OCSP Subsystem,O=TEST-DOMAIN-COM expires: 2023-06-29 10:16:09 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20160825202953': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=CA Subsystem,O=TEST-DOMAIN-COM expires: 2023-06-29 10:16:29 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20160825202954': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=Certificate Authority,O=TEST-DOMAIN-COM expires: 2035-10-30 19:52:54 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20160825202955': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=test.domain.com,O=TEST-DOMAIN-COM expires: 2024-04-23 15:52:18 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20160825203104': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=test.domain.com,O=TEST-DOMAIN-COM expires: 2024-10-14 20:01:14 UTC principal name: HTTP/test.domain.com@TEST.DOMAIN.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20160825203110': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=IPA RA,O=TEST-DOMAIN-COM expires: 2023-06-29 10:16:20 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes

You're running such an old version of RHEL and IPA that you're going to need to do this the hard way.

Some of the certs expired nearly a year ago.

I'd recommend, if you can, snapshot the system so you can recover if anything goes awry.

What you're going to need to do is stop ntpd and go back in time to 2023-06-28. Once you do that run ipactl restart. That will hopefully bring all the services back up and operational.

See if this host is the renweal master: ipa config-show

If it is then proceed. If not you'll need to set it as the renewal master: ipa config-mod --ca-renewal-master-server=<this FQDN>

Restart certmonger and then watch to see if the renewals happen.

getcert list | grep status

The certs should go into SUBMITTING and eventually hopefully MONITORING. It may be a bumpy ride as the certs need to renew one at a time and there will be a lot of service restarts so it may take a while.

Assuming all the certs renew then you can come back to present time, ipactl restart, and things should work for another year.

rob

Hi Rob,

Apologies for the late response. I have set the server time back to 2023-06-23 and when i am running the command - ipa config-show , I am getting :-

ipa config-show ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('KDC returned error string: PROCESS_TGS', -1765328324)/

And when i am doing kinit user , i am getting :- kinit: Generic error (see e-text) while getting initial credentials

The getcert list command shows :- Number of certificates and requests being tracked: 8. Request ID '20160825909273': status: MONITORING ca-error: Error setting up ccache for "host" service on client using default keytab: Generic error (see e-text). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TEST-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TEST-DOMAINCOM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TEST-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM subject: CN=test.domain.com,O=TEST-DOMAIN-COM expires: 2023-12-18 15:52:08 UTC principal name: ldap/test.domain.com(a)TEST.DOMAIN.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv TEST.DOMAIN.COM track: yes auto-renew: yes

Please advice.

Hi Rob,

I restarted the IPA services. After that, when I run 'ipa config-show', I am getting the following error.

ipa config-show ipa: ERROR: Kerberos error: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('KDC returned error string: PROCESS_TGS', -1765328324)/

Unfortunately, I am not able to execute 'kinit user'; I am encountering the following error: kinit: Generic error (see e-text) while getting initial credentials

And yes, all the services started correctly.